Why doesn't Bitcoin migrate to proof-of-stake?



After reading a little bit about different consensus algorithms, I am just trying to understand why Bitcoin still uses proof-of-work. This consensus algorithm being exponentially expensive, and resource intensive, doesn't it make more sense for Bitcoin --the most expensive cryptocurrency out there-- to migrate to proof-of-stake?

Currently, Bitcoin transactions are so expensive that day-to-day transactions, like buying a cup of coffee, can be more expensive than the good/service itself in some parts of the world, which fails to deliver one of the original goals of Bitcoin. That is to be the common person's every-day money.

Why does Bitcoin stick to the proof-of-work consensus algorithm?

Oscar Serna

Posted 2020-04-19T15:13:16.230

Reputation: 582

3Was everyday use ever really a goal of Bitcoin? The number of transactions it can process per hour is hard-limited by its design. Either Satoshi Nakamoto didn't understand the order of magnitude of the world financial system or replacing it was never the intention. – Philipp – 2020-04-20T12:13:23.037

7According to the whtepaper, everyday use was the goal. At the time when the limit was introduced the number of transactions was order of magnitudes lower; and the code was basically in the alpha/prototype stages. I'm sure replacing the limit was the intention, but Satoshi didn't know of a viable solution. – csiz – 2020-04-20T15:04:08.687

@Philipp Scaling to everyday use is clearly a difficult task, but its worth noting that on-chain transactions per second =/= payments per second. Finding nuanced ways to create bitcoin transactions which allow us to pack a huge number of payments into a single on-chain transaction is an interesting approach that may be viable. The lightning network is an example of this. – chytrik – 2020-04-20T21:41:15.433

Because it's not Ethereum. – VSO – 2020-04-22T14:41:18.440

Oh, I thought micro transactions are the most important application of Bitcoin. – Volker Siegel – 2020-04-23T06:35:13.060



Proof of Stake is basically a case of having your cake and eating it, too.

PoW is a simple work-around to a coordination problem that was previously thought to be unsolvable. It sort of "cheats" by providing an economic solution to a distributed systems challenge, by introducing a real cost as a disincentive to unwanted behavior as well as using a reward system both to bootstrap itself and to incentivize security. The advantages of Bitcoin's PoW system include that the group of block authors is truly open to anyone with computational resources, that the system converges on one ground-truth because there is a real cost in producing a competing chaintip, and that it is simple enough for its security model to be well understood.

PoS is more similar to the approaches that were pursued before the publication of Bitcoin. PoS is naturally divergent as there is no real cost in staking. The "Nothing at Stake problem" allows stakers to work on multiple chaintips and only publish the next block from the chain most favorable to them. There are different ways of approaching the vastly different security model of PoS.

"Casper summany: FIx stuff with Staking. FIx the problems in that with bonding and checkpoints. Fix problems with that with being fuzzily forgiving about slashing. Make it all 'rigorous' by doing real proofs of something somewhere" – Bram Cohen -src

For example, ETH's effort to switch to PoS has been in research for over five years. The latest I've read, ETH's current PoS proposal piles multiple layers of complexity on top of the staking to achieve convergence. Stakers have to not only hold capital to stake, but register as "Validators" of which there can only be a limited number. Validators have to put up a collateral that can be slashed if they attempt to work on more than one chaintip at the same time.

Other approaches to and issues with PoS include:

  • Some systems introduce a central party that rubberstamps the latest block (e.g. Peercoin). Existence of such a coordinating party costs the system its censorship resistance.
  • Since stakers have to hold funds in the system to author blocks, it's difficulty to have a fair launch of a PoS system. Many PoS systems get either started as airdrops, ICOs, or a proof of burn auction.
  • Staking requires some representation of the private key to be online at all times, which may mean that it is easier to redirect some of the staking power (in early PoS systems it had to be the actual private key, so not only staking power but actual funds could get stolen).
  • Some systems require coins to have a certain amount of confirmations before being allowed to be used for staking, so spending funds interrupts your staking revenue.
  • Some people expect that staking revenue will be taxed differently than mining revenue.
  • Some PoS systems can be gamed for profit by trying a vast number of block candidates to cause the staker to get blocks more often than their stake should qualify them for. Such an incentive may turn such PoS systems just into PoW schemes under the hood.
  • Some researchers argue that "by depending only on resources within the system, proof of stake cannot be used to form a distributed consensus, since it depends on the very history it is trying to form to enforce loss of value".

So, while the Ethereum Foundation keeps giving (and missing) new delivery dates for an incomplete research project, there seems to be less interest among Bitcoin contributors to discuss Rube Goldberg contraptions.

And then, beyond the general skepsis for PoS, it wouldn't be feasible to just switch to it:

"Even if there somehow was a workable solution that had desirable properties and security proofs, it would be working under a vastly different security model than PoW… and nobody can just decide to make such a change without enormous community consensus for such an invasive change." –Pieter Wuille


Posted 2020-04-19T15:13:16.230

Reputation: 51 063

3Thanks a lot for the great explanation! So, for what I can conclude from your post, PoS is interesting in theory, but very hard to implement into practice because of its divergent nature, which leads to the need of extra layers on the protocol, which also means more complex mechanism and therefore less secure/efficient? – Oscar Serna – 2020-04-20T08:08:00.877

I still think there is something the Bitcoin community has to do about the high cost for transactions. This specially true for small-amount transactions due to the way that the transaction cost is calculated. – Oscar Serna – 2020-04-20T08:20:17.370

I found this answer confuse – Pedro Lobito – 2020-04-20T14:47:14.553

@OscarSerna that's about it. I think the answer could have emphasised that POW is also the only way to bootstrap the system. Proof of stake would not work at the start when there's nothing of value to stake. – csiz – 2020-04-20T15:13:56.120

4@OscarSerna to reply to your second comment. Proof of stake doesn't solve high transaction costs; that is controlled by the transaction limit and desire of people to have their transactions finalised soon. To fix that you need to get logarithmic scaling with transactions. Ethereum's solution to that is sharding, which is a different beast than POS; but equally complex. – csiz – 2020-04-20T15:17:55.863

Thanks a lot for your answer. Very interesting topics to study. – Oscar Serna – 2020-04-20T15:37:11.543

@OscarSerna The cost of transactions is solved by increasing block size to allow more transactions to fit into a block. The cost of mining is nearly constant regardless of block size, so allowing more transaction in a block means each transaction can have a smaller fee without changing the reward for mining the block. However, increasing the block size requires a hard fork, which is why Bitcoin Cash (BCH) was created. – Paul – 2020-04-20T20:42:33.197

@PedroLobito: I've turned the example paragraph into a bullet list instead. That might make it a bit clearer. – Murch – 2020-04-20T22:43:37.127

2OscarSerna: The transaction cost is not closely related to the consensus mechanism as csiz explained. – Murch – 2020-04-20T22:45:14.020

@OscarSerna Lightning networks solves transaction cost issue for small transactions so much so that it makes transactions at the Wei level economically feasible. But it comes with its own set of issues. Lightning network is live now though and you can use it to send real Bitcoins – slebetman – 2020-04-21T02:00:15.087

@slebetman As far as my understanding goes, the lightning network only solves the problem for a small segment of the cases of use of Bitcoin since it's only useful when you are planning ahead on transacting several times with the same peer in the future. The lightning network is very good, but doesn't solve the problem of high fees on transactions for the most common scenarios like dealing with mostly unrepeated peers, or simply not having the funds to lock up in a channel for future use. I agree that it is a good step forward though. – Oscar Serna – 2020-04-21T13:26:08.373


The lightning network allows you to send payments to any other participant it can find a route to. It does work better for small payments, though. See for example https://bitcoin.stackexchange.com/q/43700/5406

– Murch – 2020-04-21T14:12:25.037

@OscarSerna Your understanding is wrong. You are focusing too much on the mechanism (debt passed to your neighbor in the lightning network) instead of the actual transaction (payment reaching your target). Lightning network works by passing debt around and then consolidate all debt transactions into a single bitcoin transaction when you close the network. As such as long as you are on the lightning network payments cost almost nothing (which is why payments of merely 1 Wei makes sense on Lightning). You don't need to plan ahead, all you need is just both you and the receiver be on the network – slebetman – 2020-04-21T19:59:23.090

2@OscarSerna .. there's nothing that says you need to open the lightning network when you want to do the payment and close the lightning network once you've done the payment. You can open it as long as you like. You can spend bitcoins on the lightning network for as long as you haven't closed the network but those bitcoins cannot be spent on the main bitcoin blockchain. Once you close the network you can no longer spend those bitcoins on the lightning network but you can now spend it on the bitcoin blockchain. Think of it like a prepaid card for bitcoin – slebetman – 2020-04-21T20:02:25.117

Ok got it. Thanks a lot for your reply @slebetman . I guess I had it all messed up about the lightning network. I am currently developing my own tools for Bitcoin in Python, and I haven't made it there yet, so now I'm looking forward to start coding the lightning network as my next step. – Oscar Serna – 2020-04-22T01:14:02.947


I think there are at least four reasons:

  1. The miners are stakeholders in the bitcoin ecosystem. Mining solves a problem for them. Taking away PoW mining would make bitcoin no longer work for one of its most important group of stakeholders.

  2. Non-miners are in bitcoin because they like what bitcoin is. If they want some other consensus scheme, they know where to find it. There is certainly room in the market for at least one PoW chain and that's what bitcoin is.

  3. Major changes impose costs on every participant in the ecosystem. Every implementation has to implement the new rules. Everyone has to test that the new stuff doesn't break anything they're relying on.

  4. There isn't a consensus in the community that PoS can provide the same level of security as PoW at lower cost. That's the claim PoS advocates make, but it's far from an accepted truth.

David Schwartz

Posted 2020-04-19T15:13:16.230

Reputation: 48 957

A thing that is not clear still to me is why in PoS, forks occur? I would appreciate any comment or answer to this related question: https://ethereum.stackexchange.com/q/87553/23024 Thanks

– Questioner – 2020-09-17T16:50:44.340


I think there are some very convincing theoretical arguments to be made, but there is also just a very practical consideration:

Right now, a very large portion of BTC is being held in the cold wallets of popular exchange platforms. Hardcore bitcoiners will shake their heads and declare "Not your keys, not your coins!", but this apparently has not stopped traders and normal users alike from keeping their coins stored with a custodial third party. Looking at the 'bitcoin rich list', we can confirm the huge number of coins held by exchanges.

This fact would put exchange operators in an undue position of power over the network: by staking coins owned by their users, the exchange operators can obtain a large, centralized point of control over the network's consensus operations.

There are already risks present when allowing a third party custodian to manage your coins/private keys, but switching to a POS system adds an entirely new and very serious type of risk! This is a very serious risk because it is existential in nature: if an exchange operator were to abuse their control of this huge number of coins somehow (by staking maliciously in some way or another), it would affect every user of the system, not just the users of that exchange.

This problem is only amplified by the fact that you have to not only trust the exchange operators to not act maliciously, you also have to trust them to secure their system against theft and intrusion. It is bad enough when hackers steal funds, giving hackers the ability to attack the network consensus as well is, in my opinion, an untenable addition of risk.

In case you aren't convinced: This risk is not theoretical, an attack like this recently happened on an altcoin network (Steem, mid-late Feb 2020). It appears that exchanges colluded to stake the coins they held custody of, in an effort to disrupt network consensus. A quick websearch brings this article about it up.


Posted 2020-04-19T15:13:16.230

Reputation: 13 841

3I do not think that the Steem scenario is very realistic for BTC; it started with a single exchange being dominant, and the Steem story highlights that this would ultimately kill the entire ecosystem of the coin in question. BTC had a similar problem in the past, where a majority of miners would in located in China; after some discussion, the Chinese miners agrees to stay well below 50% because they knew that BTC could break down anytime if they continued to grow, losing more than they could gain from growing. – toolforger – 2020-04-20T03:21:38.580

This is a really interesting theory. I also think that toolforger is right about ecosystem regulating itself. Some good game theory applied here. Thanks for enriching the thread. – Oscar Serna – 2020-04-20T08:16:16.033

@toolforger right, it is a different situation, but I think this is still a foundational problem that is slightly different than miner centralization: With PoW, every effort is made to ensure the protocol does not favour or promote miner centralization. With PoS, centralization of coins seems unavoidable (exchanges hold a huge portion, and the fact that 'the rich get richer' under PoS only exacerbates this). Additionally, a hacker that steals coins could attack and incur almost no cost (other than lost value of the stolen coins), the same cannot happen in PoW. – chytrik – 2020-04-20T21:48:12.967

I am not so sure about that "the rich get richer" aspect of PoS. If it's proportional to the amount held, the minting reward will be distributed accordint to the current money distribution and relative wealth remains unchanged. This changes if you have to allocate your money for PoS - the poor won't be able to allocate anything, and the rich will want to keep their money in cold wallets; I don't know how this plays out in practice. – toolforger – 2020-04-21T06:24:49.547


In addition to other answers, Bitcoin investors would also like to have a very conservative approach to updating bitcoin. Messing with the core idea will increase the perceived risk for something wanting to be a store of value.


Posted 2020-04-19T15:13:16.230

Reputation: 121


Proof of stake just doesn't work the same as mining from an economic incentive standpoint.

Miners make real-world investments, in advance, in equipment that becomes less valuable as difficulty increases.

Miners have no guarantee that their investment will pay off, they merely have a probability of finding a good proof of work.

Staking chains are vulnerable to new attacks, like "long range" attacks, "fake stake" attacks, etc. Staking is just as easy to pool and manipulate as mining.

Proof of stake systems have some good solutions, but they aren't all solved. Until they are solved, Bitcoin definitely won't transition.

A more realistic transition would be to a proof-of-burn, where a p2sh burn is locked to a height, and gets you a decaying probability of being able to mine some future block.

Erik Aronesty

Posted 2020-04-19T15:13:16.230

Reputation: 377